Single sign-on (SSO) allows users to use a single login across multiple enterprise applications. The Single Sign-On feature allows your team to sign in using your existing identity provider instead of an Invoiced username and password.
Now go to the Invoiced application:
- Go to Settings → Team → Single Sign-On. If you do not see the Single Sign-On tab then contact Invoiced Support to have this feature enabled.
- Turn on the SAML Enabled toggle.
- Copy over the issuer URL into the Issuer (Identity Provider Entity ID) field.
- Copy over the sign in URL into the Sign In URL field.
- Copy the certificate from the identity provider and paste it into the Certificate field.
Within your identity provider follow these instructions:
- Create a new SAML 2.0 application in your identity provider for Invoiced.
- Copy the Assertion Consumer Service (ACS) URL value from the Setup Info section to the application ACS URL field in your identity provider.
- Copy the Service Provider Entity ID / Audience URI value from the Setup Info section to the application entity ID field in your identity provider.
- Set the NameID attribute to the user's email address.
Once the application has been configured on Invoiced and in the identity provider it should be possible for users to sign in using single sign-on.
After successfully testing that single sign-on is working, you can optionally disable other authentication methods for your Invoiced account. When this setting is enabled users will only be able to sign into your Invoiced account with single sign-on and other authentication methods like username/password will not allow the user to access your Invoiced account.
If you have multiple entities that you wish to sign into with single sign-on then you will need to keep setting up single sign-on after configuring your first entity. On each Invoiced entity that you wish to sign in through your identity provider, you will need to copy the same SAML settings from the first entity that you setup. The SAML settings should match across all of your entities.
You do not have to do any additional configuration on your identity provider. You only need to set up the Invoiced application once on your identity provider for use with multi-entity single sign-on.
When a user signs in with multi-entity setup, they will only have to sign in once and they will see all of the entities to which they have access in the company switcher of the Invoiced app.
Once single sign-on is properly configured, users can sign in to Invoiced from your Identity Provider. When signing in with SSO, users will only see the Invoiced entities that are connected with the identity provider that they signed in with and to which they have access to.
It is also possible to sign in using SSO from Invoiced if users go to the Start URL in the Setup Info section or if users click the Login with SSO button on the Invoiced login screen.
When using Single Sign-On on Invoiced, it is important to know these limitations and features that are not supported.
- Just-In-Time (JIT) user provisioning is not supported. New users must also be added to Settings → Team → Users.
- Single Log Out (SLO) is not supported.
- System for Cross-domain Identity Management (SCIM) is not supported.